CVE-2026-27645
published 2026-02-25CVE-2026-27645: changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path…
PriorityP338medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
0.45%
35.6th percentile
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgtlmoon | changedetection.io | < 0.54.1 | 0.54.1 |
| dgtlmoon | changedetection.io | >= 0 < 0.54.4 | 0.54.4 |
| dgtlmoon | changedetection.io | >= 0 < 0.53.7 | 0.53.7 |
| webtechnologies | changedetection | < 0.54.1 | 0.54.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
changedetection.io has Reflected XSS in its RSS Tag Error Response
ghsa·2026-03-04·CVSS 6.1
CVE-2026-29038 [MEDIUM] CWE-79 changedetection.io has Reflected XSS in its RSS Tag Error Response
changedetection.io has Reflected XSS in its RSS Tag Error Response
A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript.
This vulnerability persists in version **0.54.1**, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.
## Package
- **Ecosystem:** pip
- **Package:** changedetection.io
- **Affected versions:** ` HTML tag on the homepage without authentication:
1. Attacker visits the target's homepa
OSV
changedetection.io has Reflected XSS in its RSS Tag Error Response
osv·2026-03-04·CVSS 6.1
CVE-2026-29038 [MEDIUM] changedetection.io has Reflected XSS in its RSS Tag Error Response
changedetection.io has Reflected XSS in its RSS Tag Error Response
A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript.
This vulnerability persists in version **0.54.1**, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.
## Package
- **Ecosystem:** pip
- **Package:** changedetection.io
- **Affected versions:** ` HTML tag on the homepage without authentication:
1. Attacker visits the target's homepa
OSV
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
osv·2026-02-25
CVE-2026-27645 [MEDIUM] changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
### Summary
Three security vulnerabilities were identified in [changedetection.io](http://changedetection.io/) through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version (0.53.6) it was additionally validated at scale against 500 internet-facing instances discovered via FOFA search engine, producing 5K+ confirmed detections using a custom Nuclei template, demonstrating widespread real-world impact.
The RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and e
GHSA
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
ghsa·2026-02-25
CVE-2026-27645 [MEDIUM] CWE-79 changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
### Summary
Three security vulnerabilities were identified in [changedetection.io](http://changedetection.io/) through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version (0.53.6) it was additionally validated at scale against 500 internet-facing instances discovered via FOFA search engine, producing 5K+ confirmed detections using a custom Nuclei template, demonstrating widespread real-world impact.
The RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and e
No detection rules found.
Nuclei
Changedetection.io RSS Single Watch - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2026-27645 [MEDIUM] Changedetection.io RSS Single Watch - Cross-Site Scripting
Changedetection.io RSS Single Watch - Cross-Site Scripting
changedetection.io ", "Watch with UUID")'
condition: and
# digest: 4b0a00483046022100980ebbe0196f0ec9e911048f043a54c5b3f8a9c94f86b0a28ef0c216cc7b13d7022100b14803160257b12a43c4d1c85ed3ca67e32f3b7c50e6f952ae8e0bd80bfc0b8b:922c64590222798bb761d5b6d8e72950
2026-02-25
Published